VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 20, 2020· Updated Aug 5, 2024

CVE-2017-18824

CVE-2017-18824

Description

Certain NETGEAR devices are affected by directory traversal. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in NETGEAR fully managed switches before 12.0.2.15 allows local attackers to read arbitrary files.

Vulnerability

A directory traversal vulnerability exists in the web-based management interface of multiple NETGEAR fully managed switch models. Affected models include M4300-28G, M4300-52G, M4300-28G-POE+, M4300-52G-POE+, M4300-8X8F, M4300-12X12F, M4300-24X24F, M4300-24X, M4300-48X, and M4200 running firmware versions prior to 12.0.2.15 [1]. The vulnerability allows an attacker to traverse directories outside the intended restricted path.

Exploitation

An attacker with local network access to the switch's management interface can exploit this vulnerability without authentication. By sending a crafted HTTP request containing path traversal sequences (e.g., ../), the attacker can read arbitrary files from the device's filesystem [1]. No user interaction is required.

Impact

Successful exploitation allows an attacker to read sensitive files on the device, such as configuration files containing credentials or other network settings. This compromises confidentiality of the device data. The CVSS v3 base score is 4.0 (Medium) with vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [1].

Mitigation

NETGEAR has released firmware version 12.0.2.15 for all affected models, which fixes this vulnerability. Users should download and install the latest firmware from NETGEAR's support website [1]. No workarounds are provided.

References
  1. Security Advisory for Directory Traversal on Some Fully Managed Switches, PSV-2017-1942

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.